Description

ksslcfg manages smf(5) instances for the Kernel SSL proxy module. An SSL-enabled
web server can use the services of its Kernel SSL proxy to improve
the performance of the HTTPS packets processing. It does so by creating
an instance of the Kernel SSL service, specifying the SSL proxy port
and parameters, and by listening on the proxy port.

The create subcommand creates an instance and enables the service for the
given address and SSL port.

The delete subcommand disables the service for the given address and port,
if it is enabled, and deletes the instance from the SMF repository.

ksslcfg can be run as root or by other users assigned to
the Network Security profile. See rbac(5) and user_attr(4).

After ksslcfg successfully configures the service in the kernel, the proxy application
must be started, or restarted if it is already running.

You must run ksslcfg to configure your Kernel SSL proxy before you
start your application.

ksslcfg allows you to specify an ssl_port operand, described under OPERANDS, and,
with the -x option, a proxy_port value. When specified for use with
the Kernel SSL proxy, these values cannot also be configured for the Solaris
Network Cache and Acceleration (NCA) feature.

The Fault Managed Resource Identifier (FMRI) for the kernel SSL proxy instances
is svc://network/ssl/proxy. ksslcfg creates an instance of that service unique to the
combination of host and SSL port. Instance FMRIs for particular proxy entries
can be found with svcs(1) and used for dependencies of other services. The
state of the service instance tracks in-kernel configuration only. It does not
reflect the presence or state of the application listening on the proxy port.

Options

The following options are supported:

-cciphersuites

Set of ciphers a client is allowed to negotiate in a sorted order. The supported SSL version3 and TLS ciphers are listed below. Note that the names are case-insensitive.

Uses the certificate/key format specified in key_format. The supported options are pkcs11, pkcs12, and pem.

-ikey_and_certificate_file

When pkcs12 or pem is specified with the -f option, reads a key and a certificate of the web server from key_and_certificate_file. This file can also contain any intermediate CA certificates that form the certificate chain to the root CA for the server certificate. These certificates must follow the server certificate in the file and the order must be bottom up: lowest level CA certificate followed by the next higher level CA certificate, and so on.

-Ccertificate_label

PKCS#11 can store multiple certificates in single token. This option enables you to specify a single certificate, identified by certificate_label. This label must match the CKA_LABEL on the certificate object in the token specified by -T. This option is to be used only with -fpkcs11.

-dsofttoken_directory

This option is applicable only with the pkcs11 key format, when the token label is the Sun Software PKCS#11 softtoken. Use this option to override the default location of the PKCS#11 softtoken directory ($HOME/.sunw). See pkcs11_softtoken(5).

-hca_certchain_file

When pkcs11 is specified with the -f option, reads a set of intermediate CA certificates that form the certificate chain to the root CA for the server certificate (specified with the -C option), from ca_certchain_file. The file must be in PEM format.

-ppassword_file

Obtains the password used to encrypt the private key from password_file. When using the pkcs11 option (see -f, above), the password is used to authenticate the user to the PKCS #11 token.

-tssl_session_cache_timeout

The timeout value, in seconds, for an SSL session. It corresponds to SSL3SessionTimeout of the Sun ONE web server configuration or SSLSessionCacheTimeout of mod_ssl.

-Ttoken_label

When pkcs11 is specified with -f, uses the PKCS#11 token specified in token_label. Use cryptoadm list-v to display all PKCS#11 tokens available.

-uusername

The username of the user who owns the password file. If omitted, the system will try to read the password file as root.

-v

Verbose mode.

-V

Displays the version.

-xproxy_port

The SSL proxy port. The port number is designated exclusively for clear-text HTTP communication between the web server and the kernel SSL proxy module. No external HTTP packets are delivered to this port.

-zssl_session_cache_size

The maximum number of SSL sessions that can be cached. It corresponds to SSLCacheEntries of the Sun ONE web server configuration. When this option is not specified, the default is 5000 entries.

-?

Displays the usage of the command.

Operands

[host] [ssl_port]

The address and the port of the web server for which the kernel SSL entry is created. If host is omitted, the entry will be used for all requests that arrived at the ssl_port, regardless of the destination address. Both a host name and an IP address are acceptable forms for host. ssl_port is required. Typically, this has a value of 443.

Examples

Example 1 Create and Enable a Kernel SSL Instance

The following command creates and enables a Kernel SSL instance using a
certificate and a key in PKCS#11 format.

The sequence of commands shown below establishes a dependency of a proxy
application on a KSSL instance. Note that he proxy application should only
be started after the SSL kernel proxy instance has been started.

The following commands establish the dependency of an Apache 2.2 web server.
KSSL has been configured to listen on SSL port 443 and a
wildcard address.

Notes

ksslcfgcreate without an host argument creates an INADDR_ANYsmf instance. ksslcfgdelete without an host argument deletes only the INADDR_ANY instance. ksslcfgdelete
needs a host argument to delete any non-INADDR_ANY instance.

On a system with zones(5) installed, the ksslcfg command can be used
only in the global zone at this time.